b'        APPLICATION OF YEAR 2000 LESSONS LEARNED\n\n\n\nReport No. D-2001-175                    August 22, 2001\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nASD(C3I)              Assistant Secretary of Defense (Command, Control,\n                         Communications, and Intelligence)\nCFO                   Chief Financial Officer\nCIO                   Chief Information Officer\nCIP                   Critical Infrastructure Protection\nDISA                  Defense Information Systems Agency\nDOT&E                 Director, Operational Test and Evaluation\nPSA                   Principal Staff Assistant\nY2K                   Year 2000\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2001-175                                                  August 22, 2001\n    (Project No. D2001AS-0006)\n\n                  Application of Year 2000 Lessons Learned\n\n                                 Executive Summary\n\nIntroduction. During the late 1990s, DoD Components applied extensive efforts and\nexpended significant resources towards preparing for the year 2000 conversion. As\nshown in the Office of Management and Budget 11th Quarterly Progress Report,\n\xe2\x80\x9cDepartment of Defense Status of Year 2000 Efforts,\xe2\x80\x9d November 15, 1999, DoD\ntracked 2,367 mission-critical and 7,267 nonmission-critical systems. The DoD also\noperated 637 military installations around the world and in the United States and relied\non supporting infrastructure systems that were also vulnerable to year 2000 problems.\nIn addition, the DoD had 15 centralized mainframe computer sites comprising 351\ncomputer domains in operation on January 1, 2000. More than one-third of the Federal\nGovernment\xe2\x80\x99s mission-critical systems were in the DoD. The DoD year 2000\nchallenge represented a substantial undertaking in scope, magnitude, and complexity\nthat far exceeded any other Federal department. The enormous efforts that DoD\nundertook to ensure year 2000 readiness were largely successful. Since\nJanuary 1, 2000, the common theme of year 2000 lessons learned by both the private\nand public sectors has been the in-depth awareness by managers and users of an\norganization\xe2\x80\x99s dependency on information technology and of the interdependencies\namong organizations, commercial vendors, and systems.\n\nObjectives. Our objective was to assess how widely and successfully the DoD had\napplied the lessons learned from the year 2000 conversion experience to other\ninformation technology programs and management issues.\n\nResults. Since the year 2000 rollover, many DoD Components adapted management\nexperiences gained from the year 2000 conversion and reused and updated data\ncompiled during those efforts, such as system inventories, thin-lines, contingency plans,\nand configuration management. The reuse of data and adaptation of management\nexperiences were largely driven by individual actions within the DoD Components and\nnot by the DoD Chief Information Officer. As a result, the DoD Components initiated\nand took commendable but varied steps to use year 2000 lessons learned in managing\ntheir information technology systems, whereas the DoD Chief Information Officer\nmissed opportunities to readily lead the way in managing information assurance and\ninformation technology investments (finding A).\n\nThe DoD Chief Information Officer had not readily adapted year 2000 experiences to\nmanaging information assurance and information technology investments. As a result,\nthe task of responding to congressional and Office of Management and Budget\n\x0crequirements for ensuring that systems and networks are reasonably secure, particularly\nwith respect to the Government Information Security Reform requirements, and for\ncomplying with the Clinger-Cohen Act, has been made even more difficult (finding B).\n\nSummary of Recommendations. We recommended that the Chief Information\nOfficer, DoD, establish a written DoD management plan for information assurance\ncompliance that will oversee the certification and accreditation process required by\nDoD Instruction 5200.40 and respond to the requirements of Government Information\nSecurity Reform. We also recommended that the Chief Information Officer, DoD,\nassess the cost-effectiveness of purchasing new licenses for analysis and renovation\ntools to use in detecting defects or abnormalities in software; implement a mission or\nbusiness area approach for managing information technology investments in accordance\nwith the Clinger-Cohen Act and DoD Directive 5000.1; and implement an oversight\nprocess for complete repair, retirement, or replacement of systems that used date-\nwindowing techniques during the year 2000 conversion process.\n\nManagement Comments. The Acting Assistant Secretary of Defense (Command,\nControl, Communications, and Intelligence) concurred with the findings and\nrecommendations, stating that management directed the Government Information\nSecurity Reform Integrated Process Team to develop a plan for Government\nInformation Security Reform implementation that leveraged the assessment mechanism\nfrom the Defense Information Technology Security Certification and Accreditation\nProcess. Management will also continue to assess the commercial market for analysis\nand renovation tools, and will consider publishing guidelines to assist in determining\nthe best mix of tools. Additionally, the Deputy Chief Information Officer will\nundertake a thorough review and reengineering of information technology investment\nand acquisition oversight. The new information technology management and oversight\nconcept includes portfolios and families of systems reviews, which are a mission or\nbusiness area approach to managing information technology. A discussion of\nmanagement comments is located at finding B of the report and the complete text is in\nthe management comments section.\n\nAudit Response. The Acting Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) comments were responsive except for comments on\nthe DoD management plan. The implementation plan developed by the Government\nInformation Security Reform Integrated Process Team primarily focuses on the\nGovernment Information Security Reform requirements for FY 2001. The Assistant\nSecretary of Defense (Command, Control, Communications, and Intelligence) should\nalso have a DoD management plan that oversees and provides guidance on the\ncertification and accreditation of information systems and networks, using the DoD\ninformation technology registry as the starting point. We request that the Assistant\nSecretary of Defense (Command, Control, Communications, and Intelligence) provide\nadditional comments by September 20, 2001.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary\n\nIntroduction\n     Background                                                          1\n     Objectives                                                          3\n\nFindings\n     A. Application of Year 2000 Lessons Learned                         4\n     B. DoD Chief Information Officer Application of Year 2000\n          Lessons Learned                                               13\n\nAppendixes\n     A. Audit Process\n          Scope                                                         21\n          Methodology                                                   21\n          Prior Audit Coverage                                          22\n     B. Matrix of Applied Year 2000 Lessons Learned                     23\n     C. Categories of Lessons Learned and Lasting Impact of Year 2000   24\n     D. Report Distribution                                             26\n\nManagement Comments\n     Acting Assistant Secretary of Defense (Command, Control,\n       Communications, and Intelligence)                                28\n\x0cBackground\n    Year 2000 Conversion Efforts. During the late 1990s, DoD Components\n    applied extensive efforts and expended significant resources towards preparing\n    for the year 2000 (Y2K) conversion. DoD spent an estimated $3.6 billion in its\n    efforts to accomplish Y2K conversion, monitor activities during the rollover and\n    leap year, and react to the problems that did occur. The DoD portion was about\n    44 percent of the total amount that the Federal Government spent on Y2K\n    efforts.\n\n    The scope and complexity of the Y2K problem for DoD was unparalleled in the\n    Federal Government. As shown in the Office of Management and Budget\n    11th Quarterly Progress Report, \xe2\x80\x9cDepartment of Defense Status of Year 2000\n    Efforts,\xe2\x80\x9d November 15, 1999, DoD tracked 2,367 mission-critical and 7,267\n    nonmission-critical systems. The DoD also operated 637 military installations\n    around the world and in the United States and relied on supporting infrastructure\n    systems that were also vulnerable to Y2K problems. In addition, the DoD had\n    15 centralized mainframe computer sites comprising 351 computer domains in\n    operation on January 1, 2000. More than one-third of the Federal\n    Government\xe2\x80\x99s mission-critical systems were in the DoD. The DoD Y2K\n    challenge represented a substantial undertaking in scope, magnitude, and\n    complexity that far exceeded any other Federal department.\n\n    The Assistant Secretary of Defense (Command, Control, Communications, and\n    Intelligence) [ASD(C3I)] serves as the DoD Chief Information Officer (CIO).\n    By using the system inventory and interdependency data, establishing an overall\n    DoD Year 2000 Management Plan, and working through the Senior Steering\n    Group, the DoD CIO played a prominent role in managing the progress of the\n    Y2K conversion effort. The Deputy Secretary of Defense chaired monthly DoD\n    Y2K Steering Group meetings to review progress toward achieving readiness for\n    Y2K. Participants of the meetings included senior DoD leaders, such as the\n    Under Secretaries of Defense; Service Under Secretaries; Vice Chief of Staff of\n    the Army; Vice Chief of Naval Operations; Assistant Commandant of the\n    Marine Corps; Director, Operational Test and Evaluation; Principal Staff\n    Assistants from the Office of the Secretary of Defense; DoD agency CIOs; and\n    Joint Staff representatives. The final Senior Steering Group meeting was held\n    on February 9, 2000.\n\n    The enormous efforts that DoD undertook to ensure Y2K readiness were largely\n    successful. For example, only 61 out of 1,059 logistics systems experienced\n    notable failures during or following January 1, 2000. Of the 61 systems with\n    failures, 60 were nonmission-critical systems that did not go through end-to-end\n    testing. Technicians were able to correct the Y2K problem for the one mission-\n    critical system, the Streamlined Automated Logistics Transmission System,\n    within hours of the failure because of their experience with a near-identical\n    problem during Y2K testing.\n\n\n\n\n                                        1\n\x0cPrincipal Staff Assistants. The Principal Staff Assistants (PSAs) for the Office\nof the Secretary of Defense report directly to the Secretary or the Deputy\nSecretary of Defense and are responsible for their respective business functional\nprocesses such as health affairs, personnel, communications, logistics, and\nweapon systems. During the Y2K conversion, the PSAs were responsible for\ncoordinating the end-to-end testing for their respective business function\nprocesses. The PSAs also had various oversight responsibilities for their\ncommunity systems. For example, the PSA for Communications served as the\nOffice of the Secretary of Defense (C3I) Y2K coordinator and oversaw\napproximately 600 mission-critical and 500 mission-essential systems.\n\nLesson Learned Reports. Since January 1, 2000, the common theme of\nY2K lessons learned by both the private and public sectors has been the in-depth\nawareness by managers and users of an organization\xe2\x80\x99s dependency on\ninformation technology and of the interdependencies among organizations,\ncommercial vendors, and systems. Report 106-244 from the FY 2000\nDoD Appropriations Bill directed DoD to provide a report to the congressional\nDefense committees by March 15, 2000, on Y2K lessons learned, emphasizing\nwhich additional programs should be continued and what lessons could be\napplied to information assurance. The ASD(C3I), Air Force, and Joint Staff\nprepared reports on Y2K lessons learned, while the Navy provided an undated\ndocument. See Appendix A for audit coverage by the Air Force, Army, and\nNavy on Y2K lessons learned.\n\n          Department of Defense. The ASD(C3I) report, dated\nMarch 15, 2000, detailed the DoD efforts to ensure Y2K readiness and\nidentified the most important lessons to be used in future efforts to secure\ninformation infrastructures. Lessons learned, applicable to DoD and other\nFederal agencies, included an increased awareness of the need to cooperate on\ncross-cutting issues, the dependence on information technology systems, and the\nimportance of computer professionals. The lessons learned for CIOs included\nthe importance of partnerships, centralized guidance with decentralized\nexecution, and an accurate inventory of information technology. According to\nthe ASD(C3I) report, the DoD lessons learned provide a roadmap for improving\ninformation technology management, and the DoD CIO would monitor their\nimplementation.\n\n          Air Force. According to the Air Force Year 2000 Final Report, the\nAir Force collected more than 400 Y2K lessons learned suggestions from the\nMajor Commands, Direct Reporting Units, and Field Operating agencies. The\nAir Force consolidated the suggestions into 60 lessons and recommendations.\nSome key lessons learned included the need for improved resource management,\nincluding configuration management, procuring independent verification and\nvalidation tools, implementing code-scanning processes, a comprehensive\ninformation technology infrastructure database, and operational and system\narchitectures at the mission level.\n\n         Joint Staff. Volume One of the Joint Staff Year 2000 Campaign Plan\nsummarizes 12 lessons learned that were presented to the Deputy Secretary of\nDefense by the Joint Staff Y2K Task Force Leader. The lessons included\nreusing data compiled for Y2K efforts for other information technology issues,\nincorporating information technology issues into routine exercises and training,\n\n\n                                    2\n\x0c     and developing a prototype Joint Operational Architecture. According to the\n     Year 2000 Campaign Plan, the results of, and lessons learned from, the\n     Y2K conversion process were to be maintained and used in future endeavors.\n\n              Navy. The Navy provided an undated document on Y2K lessons\n     learned that stated that Navy Fleet, Systems Command, and Major Claimant\n     representatives met to review the reasons for the success with Y2K conversion\n     and to capitalize on the Navy investment of resources for Y2K preparations.\n     The document summarized the key findings and presented recommendations for\n     improvements in future information systems management. Some of the key\n     recommendations included broadening the duties and responsibilities of the\n     Navy CIO, establishing a methodology for obtaining and maintaining current\n     configuration information, and continuing the development and expansion of\n     land-based laboratory interoperability testing. The document stated that steps\n     were already underway to implement some of the recommendations.\n     Furthermore, the document recommended that, as an enterprise, the Navy\n     should embrace those initiatives and leverage the Y2K lessons learned to meet\n     information technology challenges.\n\nObjectives\n     Our objective was to assess how widely and successfully DoD applied the\n     lessons learned from the Y2K conversion to other information technology\n     programs and management issues. See Appendix A for a discussion of the audit\n     scope and methodology.\n\n\n\n\n                                        3\n\x0c            A. Application of Year 2000 Lessons\n               Learned\n            Since the year 2000 rollover, many DoD Components adapted\n            management experiences gained from the Y2K conversion and reused\n            and updated data compiled during those efforts, such as system\n            inventories, thin-lines, contingency plans, and configuration\n            management. The reuse of data and adaptation of management\n            experiences were largely driven by individual actions within the DoD\n            Components and not by the DoD CIO. As a result, the DoD\n            Components initiated and took commendable and varied steps to use\n            Y2K lessons learned in managing their information technology systems,\n            whereas the DoD CIO missed opportunities to readily lead the way in\n            managing information assurance and information technology\n            investments. (Finding B discusses these missed opportunities.)\n\nReuse of Year 2000 Inventory Database\n     The FY 2001 DoD Authorization Act Section 811, \xe2\x80\x9cAcquisition and\n     Management of Information Technology,\xe2\x80\x9d requires the DoD CIO to maintain an\n     inventory of DoD mission-critical and mission-essential information systems. In\n     addition, section 811 requires identification of interfaces between the registered\n     systems and other information systems and the development and maintenance of\n     contingency plans for the systems registered with the DoD CIO. Section 811\n     requires registration information to be updated quarterly and requires each\n     system to have an appropriate information assurance strategy as determined by\n     the CIO. Section 811 prohibits awarding any contract for any system not\n     registered with the DoD CIO. Section 811 supersedes section 8121,\n     \xe2\x80\x9cCertifications as to Compliance with the Clinger-Cohen Act,\xe2\x80\x9d of the FY 2000\n     DoD Appropriations Act. The DoD CIO and DoD Components provided\n     examples of reusing the Y2K inventory database for section 811 registration.\n     However, the DoD Information Technology Registry, used for section 811\n     registration, records only whether the system has interfaces. According to DoD\n     CIO representatives, ASD(C3I) relies on other databases, such as at the\n     Component level, to identify the specific interface.\n\nPrincipal Staff Assistants\n     The communications, financial, health affairs, logistics, and personnel\n     communities applied Y2K lessons learned to include the reuse of data,\n     management structure, configuration management, and end-to-end testing.\n     However, the number and types of lessons learned that were applied varied\n     among the PSAs.\n\n     Under Secretary of Defense (Comptroller). In 2000, the DoD Chief Financial\n     Officer (CFO) began efforts to institute a Y2K-type management approach to the\n     DoD Financial and Feeder Systems Compliance Process, which entailed the\n\n\n                                         4\n\x0cimplementation of a similar five-phased approach for ensuring that DoD critical\nfinance, accounting, and feeder systems meet Federal financial management\nrequirements. The process, which was recommended by the Inspector General,\nDoD, and endorsed by the General Accounting Office, includes lessons learned\nfrom the year 2000 such as:\n\n       \xe2\x80\xa2   requiring senior leadership involvement,\n\n       \xe2\x80\xa2   defining criticality of systems,\n\n       \xe2\x80\xa2   identifying required interfaces for all Components\xe2\x80\x99 critical feeder\n           systems and the Defense Finance and Accounting Service core\n           accounting and finance systems, as well as other systems that\n           originate financial transaction data,\n       \xe2\x80\xa2   requiring up-front mapping of data flows,\n\n       \xe2\x80\xa2   establishing Memorandums of Agreement between feeder system\n           owners and the Defense Finance and Accounting Service,\n\n       \xe2\x80\xa2   assessing the compliance problem(s),\n\n       \xe2\x80\xa2   developing and implementing corrective action plans,\n\n       \xe2\x80\xa2   requiring end-to-end testing of integrated financial management\n           systems, and\n\n       \xe2\x80\xa2   requiring independent audit verification of compliance.\n\nThe process was not formalized until January 2001, and it remains to be seen\nwhether the change of administration will affect its implementation. We\ncontinue to believe that it can be an excellent way to coordinate the overall\nmodernization of DoD financial management systems effort.\n\nLogistics. The Deputy Under Secretary of Defense (Deputy Under Secretary)\napplied Y2K lessons learned, including reusing data from Y2K and partnering\nwith DoD, commercial, and university leaders.\n\n           Operational Architecture. The Deputy Under Secretary and the\nU.S. Transportation Command used the mission-critical threads (thin-lines) that\nthey identified during Y2K end-to-end testing as the foundation for their\noperational architecture. In addition, the Deputy Under Secretary recaptured\nthe thread information as the first level of data in its modeling and simulation\ntool called \xe2\x80\x9cG2.\xe2\x80\x9d G2 will use the data to document the baseline for future\nlogistics information technology modernization.\n\n          Logistics Integration Center. Through the Y2K end-to-end testing\nand operational architecture efforts, the Deputy Under Secretary identified the\nneed to review business rules and consider network-centric solutions already in\nuse in commercial industry. The Logistics Integration Center was an initiative\nto focus on those considerations through partnerships with the Supply Chain\n\n\n                                     5\n\x0cIntegration Center, based at the University of Maryland; the Joint Logistics\nWarfighting Initiative; the Enterprise Integration Center; and other industry\nleaders, such as Manufacturing Technology, Inc.\n\nHealth Affairs. The Assistant Secretary of Defense (Health Affairs) reused\ndata obtained during Y2K and applied lessons learned to configuration\nmanagement, end-to-end testing, and Memorandums of Agreement.\n\n          Change Order Process. The Office of the Assistant Secretary of\nDefense (Health Affairs) uses the change order process to manage changes to\ncontracts with external business partners. Although the change order process\nexisted prior to Y2K, the Assistant Secretary of Defense (Health Affairs)\nstreamlined the process to support the timelines required by Y2K. The result\nwas a simplified and more direct process that enabled the Military Health\nSystem and its contractors to identify needed changes, communicate strategies,\ndevelop timelines and expectations, and implement changes in a more timely and\neffective manner. That streamlined process continued after Y2K and has\nenhanced communications, cooperation, and the efficiency and effectiveness of\nchanges to information technology throughout the Military Health System.\n\n          Configuration Management. The Y2K effort provided a more\naccurate representation of system configurations through the use of tools such as\nthe Military Health System Integrated Program Planning, Scheduling, and\nReporting System, which has been maintained post-Y2K. During the\nY2K program, the Military Health System realized that, to reduce\nvulnerabilities, it needed to increase the information on system software,\nhardware, and firmware configurations at the site level. The Military Health\nSystem carried this Y2K lesson learned forward into its certification and\naccreditation process by tracking system configurations to ensure that no\nmodifications will affect security accreditation.\n\n           End-to-End Testing. The Assistant Secretary of Defense (Health\nAffairs) conducted end-to-end testing on one of the Military Health System\xe2\x80\x99s\ncore systems. Prior to Y2K, system testing included testing only the interface\nbetween two systems. However, during Y2K, the interface testing was\ncombined with functional testing of a complete line of interconnected systems to\ntest the functional flow as well as the interfaces and communications systems at\nthe same time.\n\n          Memorandums of Agreement. The Medical Treatment Facilities\nroutinely established memorandums of agreement with public and private sector\npartners to meet a variety of needs. To meet Y2K contingencies, the Medical\nTreatment Facilities expanded the use of memorandums of agreement to ensure\nuninterrupted patient care and the continued operation of the facility. In\naddition, the Military Health System encourages the Military Treatment\nFacilities to re-evaluate and, when needed, update the memorandums of\nagreement on an annual basis.\n\nCommunications. The Office of the Secretary of Defense (C3I) applied lessons\nlearned in end-to-end testing. The Joint User Interoperability Communications\nExercise is an annual exercise for the Services, Reserve units, and the Defense\n\n\n                                    6\n\x0c    Information Systems Agency (DISA). Although the exercise existed prior to\n    Y2K, it had focused only on tactical switches. Since Y2K, the exercise was\n    expanded to focus on the interoperability of the participant\xe2\x80\x99s communications\n    systems.\n\n    Weapon Systems. The PSA for weapon systems did not retain oversight of\n    Y2K lessons learned applications. The PSA representative provided us with a\n    list of points of contact from Service program executive offices to determine the\n    application of Y2K lessons learned. However, because we focused at the PSA\n    level to determine the application of Y2K lessons learned, we did not extend our\n    audit steps to the Program Executive Office level.\n\n    Personnel. The Office of the Under Secretary of Defense (Personnel and\n    Readiness) referenced Y2K efforts and products in the draft Defense\n    Infrastructure Sector Assurance Plan for the Personnel Sector. For example, the\n    plan requires the Personnel Sector to review and update Y2K system\n    contingency plans and thin-line thread plans as appropriate. The plan also\n    requires the Personnel Sector to use mission-critical thin-lines, operational\n    thread plans, Y2K contingency and continuity of operations plans, and Y2K\n    response and recovery criteria for Critical Infrastructure Protection (CIP)\n    purposes.\n\nAssistant Secretary of Defense (Command, Control,\n  Communications, and Intelligence)\n    Using the relationships established during the Y2K conversion, the ASD(C3I), as\n    the DoD CIO, continued to foster communications within DoD through the DoD\n    CIO Executive Board, the DoD CIO worldwide conference, and the Information\n    Knowledge Exchange Portal. Additionally, the CIP Directorate under Security\n    and Information Operations adapted Y2K management approaches and concepts\n    in preparing for protection of critical infrastructure. However, in managing\n    other cross-cutting information technology initiatives, the DoD CIO had not\n    taken full advantage of its Y2K experience, as discussed in finding B.\n\n              Continued Communications. The DoD CIO fostered\n    communications within DoD, through the DoD CIO Executive Board, the DoD\n    CIO worldwide conferences, and the Information Knowledge Exchange Portal.\n    DoD CIO representatives stated that the Y2K conversion resulted in a greater\n    emphasis for the CIO Executive Board. Additionally, the DoD CIO adapted the\n    Y2K management processes to the DoD CIO Executive Board process.\n    According to DoD CIO representatives, the Board discusses and prioritizes\n    information technology issues similar to the prioritization and discussions of\n    Y2K issues during Senior Steering Group meetings. The DoD CIO also held a\n    worldwide DoD CIO conference in August 2000 and plan to hold another in\n    September 2001. Conferees discuss CIO issues and foster communications\n    among the Office of the Secretary of Defense, the PSAs, the Joint Staff, and\n    Unified Commands. The Information Knowledge Exchange Portal allows users\n    to exchange information using the web. Currently, 150 users have access to the\n    portal, including the DoD CIO Executive Board members, the Office of the\n\n\n                                        7\n\x0c     Secretary of Defense, the PSAs, the National Security Agency, and DISA. The\n     portal is intended to facilitate collaboration on policy development and exchange\n     of information. The users can create links to documents, charts, action\n     databases, and calendars to share with other users. The portal contains\n     information on Clinger-Cohen Act compliance, Public Key Infrastructure, and\n     the Global Information Grid.\n\n                Critical Infrastructure Protection Plan. The CIP Directorate was\n     adapting Y2K developed management approaches and concepts, such as\n     guidance, thin-lines, exercises, and integration of the warfighter in preparing for\n     protection of critical infrastructure. Critical infrastructure protection ensures the\n     reliability of physical and cyber critical infrastructure. As a result of Y2K, the\n     CIP Directorate developed an operational readiness focused DoD CIP directive.\n     As of August 2001, the CIP Directorate was updating the draft directive based\n     on comments received. Additionally, leveraging Y2K experience, the CIP\n     Directorate was conducting outreach efforts to ensure infrastructure awareness\n     and to create physical and cyber infrastructure thin-lines directly linked to\n     Commander in Chief and Joint Component operational plans and mission\n     requirements. The CIP Directorate also leveraged Y2K operations and\n     consequence management training efforts by integrating CIP related Military\n     Significant Event List items into the Pacific Command Exercise Reception,\n     Staging, Onward Movement, and Integration-00 and the Joint Staff Positive\n     Force-01. A CIP representative stated that physical infrastructure included in\n     the exercises was a result of Y2K. The CIP representative emphasized that an\n     important lesson learned from the Y2K experience was that CIP must address\n     both cyber and physical infrastructure reliability issues and be driven by\n     warfighter mission and capability requirements. In order to integrate the\n     warfighter into the CIP process, the Joint Staff attended the CIP integration staff\n     meetings, that included representatives from all critical infrastructure providers.\n     On December 7, 2000, the ASD(C3I) reestablished the CIP Directorate and built\n     a management structure under the Deputy Assistant Secretary of Defense for\n     Security and Operations. The Deputy Assistant Secretary of Defense for\n     Security and Operations also serves as the Deputy Critical Infrastructure\n     Assurance Officer.\n\nDirector, Operational Test and Evaluation\n     As described in the Director, Operational Test and Evaluation (DOT&E)\n     FY 2000 Annual Report, DOT&E provided support for Y2K worldwide\n     verification activities, including expert assistance for cross-functional, inter-\n     Service, and cross-system testing. DOT&E also contributed significantly to\n     operational evaluation planning and execution in all of the Unified Commands.\n     Throughout the Y2K operational evaluations, two issues appeared with some\n     regularity: the need for configuration management and the incompletely\n     addressed or unresolved problems with joint interoperability. In addition,\n     organizations had failed to exercise their systems and capabilities to make sure\n     that they worked.\n\n\n\n\n                                          8\n\x0c    Since the conclusion of the Y2K operational evaluations, DOT&E has continued\n    initiatives resulting from the Y2K work. The DOT&E sponsored\n    representatives at the U.S. European Command, the Joint Forces Command,\n    and United States Forces Korea, who work in areas related to operations\n    planning, command, control, communications, and interoperability. During\n    August 2000, DOT&E sent a team of nine people to support activities of\n    United States Forces Korea\xe2\x80\x99s annual Ulchi-Focus Lens 2000 command post\n    exercise. That effort, which used the thin-lines methodology developed for the\n    Y2K operational evaluations, concentrated on activities related to understanding\n    and improving operational processes for preparing target nominations in the\n    development of the Integrated Tasking Order, and on disseminating intelligence\n    with emphasis on requests for information and intelligence summaries.\n\n    DOT&E suggested that because the Command, Control, Communication,\n    Computer, and Intelligence infrastructure is in a state of continual change, and\n    because the operational evaluations helped in identifying architectures and\n    thin-line critical systems, DoD should consider institutionalizing periodic\n    operational evaluations that would focus on interoperability once every 3 or\n    4 years. Such periodic exercises would update the Unified Commands\xe2\x80\x99\n    assessments of their ability to meet mission requirements, allow them to verify\n    the interoperability of existing systems and new programs, and identify those\n    systems that could be eliminated.\n\nOther DoD Components\n    The Army, Navy, Air Force, National Guard, DISA, and Joint Staff applied\n    lessons learned from Y2K conversion efforts; however, the application varied\n    among and within the DoD Components.\n\n    Lessons Learned Applied by the Army. The Director, Information Systems\n    (Command, Control, Communications, and Computers) [The Director], reused\n    the Y2K inventory database as a starting point to determine which Army\n    systems to public key-enable. Public key-enabled applications interoperate with\n    DoD public key infrastructure to access public key certificates and general\n    information in public directories or repositories. Within the Army, the Office\n    of the Deputy Chief of Staff for Personnel Systems of Systems Architecture -\n    Human Resources reused many data elements produced from Y2K to create a\n    database of human resource systems.\n\n              Public Key Enabling of Applications. The Director reused the\n    Y2K Army inventory database to assist in developing a list of Army applications\n    to public key-enable. The Y2K inventory database was used to identify all\n    Army mission-critical and mission-essential applications to prioritize which\n    systems to public key-enable.\n\n              Personnel Systems of Systems Architecture - Human Resources.\n    The Army Office of the Deputy Chief of Staff for Personnel Systems of Systems\n    Architecture - Human Resources reused the Army Y2K inventory database as a\n    starting point for the Personnel Systems of Systems Architecture - Human\n    Resources web-based database. The system users maintain and update the Y2K\n\n\n                                        9\n\x0cdata for users to evaluate the impact of a system or procedure change on other\nsystems. The Personnel Systems of Systems Architecture - Human Resources\ndatabase contains information on Army human resource systems and their\ninterfaces. Reused Y2K system data includes information on hardware,\nsoftware, thin-lines, and interfaces. Human Resources also reused Y2K manual\ncontingency procedures that were combined with thin-line information to\ndevelop diagrams to map the information flow for business processes.\n\nLessons Learned Applied by the Navy. The Navy CIO reused data collected\nduring Y2K to populate the Navy information technology architecture database.\nWithin the Navy, the Naval Systems Command developed a website for\nimproved configuration management.\n\n         Navy Information Technology Architecture Database. The Navy\nCIO used the Y2K inventory database to populate the Department of the Navy\nIntegrated Architecture Database. The inventory data collected for Y2K was\nused as a starting point for a complete inventory of applications for the Navy-\nMarine Corps Internet.\n\n          Software Update and Registration Website. The Naval Systems\nCommand applied the Y2K lesson learned of improved configuration\nmanagement. The Naval Systems Command developed a website for\n3,000 users of the software, GateGuard, to obtain the software update and to\nregister that the update was completed. The registration process also resulted in\nan accurate database of commands and points of contacts. That process has not\nyet been implemented Navy-wide.\n\nLessons Learned Applied by the Air Force. The Air Force CIO reused the\nY2K inventory database for the Systems Compliance Database and established\n11 focus groups to lead key information technology initiatives. The Air Force\nCFO reused the five-phased approach from Y2K for the CFO process. Within\nthe Air Force, the Deputy Chief of Staff for Installation and Logistics planned to\nconsolidate and reduce the number of logistics systems to achieve improved\nsystem management.\n\n          System Compliance Database. The Air Force CIO reused data\ncaptured in the Air Force Y2K inventory database to populate the System\nCompliance Database, which is used to better manage information technology\ninvestments. The database was expanded to include other data elements and\nalso maintains data captured for Y2K purposes. The Systems Compliance\nDatabase tracks systems for section 811 registration; the Air Force-unique\nCertificate of Networthiness status; Certification and Accreditation status; and\nthe Command, Control, Computers, and Communication systems with the\nIntelligence Support Plan. Additionally, the database is a management tool for\ninformation technology issues such as the Air Force portal and the Global\nCombat Support Systems framework.\n\n         Information Technology Focus Groups. The management process\ndeveloped to manage the Y2K conversion experience was a positive influence in\nthe development of the focus groups established within the office of the Air\nForce CIO to manage information technology issues. The 11 focus groups were\n\n\n                                    10\n\x0cchartered to lead the way in adopting private industry\xe2\x80\x99s best practices for the\ncreation of a network-centric Air Force. Focus areas include the Air Force\nportal, server consolidation, communications computing transport layer\narchitectures, information assurance architectures, and the Air Force Enterprise\nConcept of Operations.\n\n        Financial System Operations. The Air Force was one of the first\nDoD Components to adopt the Y2K Management Plan\xe2\x80\x99s five-phase process--\nawareness, assessment, renovation, validation, and implementation--for the\nimprovement of their financial system.\n\n           Consolidation of Systems. The Air Force Deputy Chief of Staff for\nInstallation and Logistics issued a memorandum on May 10, 2000, requesting\nfunctional managers to consolidate and eliminate systems within a certain\ntimeframe to attain an integrated system for installations and logistics\ninformation. The objectives were to better support the warfighter, to streamline\nand measure the performance of operations, and to reduce the cost of operating\ninformation systems. The business process used to handle Y2K events was a\ndriving force behind the logistics policy.\n\nLessons Learned Applied by the National Guard. The Army National Guard\nused information from the Y2K inventory database as a starting point in the\ncontinued development of the Army National Guard Enterprise Architecture.\nThe systems identified in the inventory, both hardware and software, served as a\nreference point for determining the function of the operating system currently\nrequired within the Army National Guard. Additionally, the Army National\nGuard uses the inventory information for the continued development of systems\nby comparing and exploring existing system functions and designs to meet the\nfunctional requirements of the users. To better manage its inventory and keep it\ncurrent, the Army National Guard was developing a web application using the\ninventory developed during Y2K to identify whether each inventory application\nwas a commercial off-the-shelf, Government off-the-shelf, or an in-house\napplication. The Air National Guard updates the software inventory used\nduring Y2K whenever changes are necessary for software maintenance or\nupgrades.\n\nLessons Learned Applied by the Defense Information Systems Agency.\nDISA reused the Y2K inventory database to develop its technical architecture\nand interface control documents to identify all interfaces. In addition, DISA\nannually updates its contingency plans that were developed during Y2K. DISA\nWestern Hemisphere also continues the configuration management efforts that it\nbegan for Y2K conversion efforts.\n\n          Reusing Inventory. DISA reused the Y2K inventory of applications\nas a baseline for the development of its technical architecture. The inventory\nwas also used to develop the system\xe2\x80\x99s view of DISA architecture, which\nincludes identifying interfaces and components that make up the system. In\naddition, the Y2K inventory was also incorporated into the DISA Certification\nand Accreditation process to be used as a system review, which includes the\nidentification of interfaces, the components that make up the system, and the\ndata flow, before the system is accredited.\n\n\n                                   11\n\x0c              Updating Interface Control Documents. Reviewing and updating\n    interface control documents were critical to the Y2K process because that\n    process brought about the need for defining interfaces. DISA renewed its effort\n    on the identification of interfaces and, as part of that effort, requires an Interface\n    Control Document as an entrance requirement for any new interface. DISA\n    updates the interface control documents when the interfaces are tested, based on\n    testing results.\n\n             Updating Contingency Plans. The Y2K conversion efforts helped\n    DISA to formalize contingency plans for systems. DISA also continues to\n    annually update those contingency plans to include incorporating contingency\n    planning for distributed denial of service attacks through the Internet.\n\n             Maintaining Configuration Management. DISA Western\n    Hemisphere continues to maintain two areas of the configuration management\n    database that underwent significant changes during Y2K.\n\n               \xe2\x80\xa2   All associated information about customer application running on\n                   the mainframe and the software versions, which run at different\n                   locations, proved to be a valuable addition to the inventory and\n                   gave the enterprise useful information about the applications.\n\n               \xe2\x80\xa2   DISA Western Hemisphere tracked executive software at a more\n                   granular level, including the version levels and vendor patch\n                   information, and added tables to associate specific products with\n                   customer applications. The information contributes significantly\n                   to software optimization and cost savings.\n\n    Joint Staff. The Joint Staff published 12 lessons learned in the \xe2\x80\x9cYear 2000\n    Campaign Plan, Volume 1\xe2\x80\x9d; however, only 2 of the 12 lessons were adapted.\n    The Joint Staff established CIOs and developed a prototype Joint Operational\n    Architecture. In creating the prototype Joint Operational Architecture, the Joint\n    Staff did reuse some thin-lines developed during Y2K, but it was only a small\n    part of the information used from other sources.\n\nConclusion\n    The PSAs, ASD(C3I), and other DoD Components provided examples of\n    applying Y2K lessons learned. Appendix B provides a more detailed matrix of\n    lessons learned for the following categories: data reuse, adaptation of\n    management experiences, senior management involvement, and continuing\n    partnerships. Appendix C explains these categories and summarizes discussions\n    with DoD Components and PSAs on the lasting impact of Y2K. The DoD\n    Components applied Y2K lessons learned in a variety of ways. However, the\n    DoD CIO did not take full advantage of using Y2K lessons learned to lead the\n    way in managing information technology investments and information\n    assurance.\n\n\n\n\n                                         12\n\x0c                   B. DoD Chief Information Officer\n                      Application of Year 2000 Lessons\n                      Learned\n                   The DoD Chief Information Officer had not readily adapted its Y2K\n                   experiences to managing information assurance and information\n                   technology investments. The DoD Chief Information Officer missed\n                   opportunities to proactively adapt management approaches, knowledge,\n                   and data on systems and interdependencies gained through the Y2K\n                   conversion process to managing the security of DoD systems.\n                   Additionally, the DoD Chief Information Officer had not shown where\n                   Y2K lessons learned were adapted for managing information technology\n                   investments, as reported to Congress. As a result, the task of responding\n                   to congressional and Office of Management and Budget requirements for\n                   ensuring that systems and networks are reasonably secure, particularly\n                   with respect to the Government Information Security Reform\n                   requirements, and for complying with the Clinger-Cohen Act1 has been\n                   made even more difficult.\n\nYear 2000 Data and Management Experiences\n           During the process of preparing for Y2K, DoD developed data and processes\n           that were applicable to managing information assurance and information\n           technology investments. However, between January and February 2000,\n           individuals assigned to address the Y2K challenge were released and assigned\n           other duties. Because of the release of these personnel, DoD lost their\n           knowledge and information gained through the Y2K conversion.\n\n           Information Assurance. The ASD(C3I) as the DoD CIO issued the DoD Year\n           2000 Management Plan to provide a management approach, planning strategy,\n           policy, and actions that enabled DoD to address the Y2K challenge.\n           Additionally, DoD created a database that listed its information technology\n           systems; identified the interfaces between systems; developed thin-lines, which\n           detailed the systems that worked together to complete a particular warfighting\n           mission; and conducted operational evaluations on how processes would\n           continue if key systems failed. Further, the Services and several Defense\n           agencies purchased code-scanning tools.\n\n           Information Technology Investments. During the Y2K conversion,\n           DoD Components clearly appreciated the importance of the interoperability of\n           systems and prioritized and invested resources to verify Y2K compliance for the\n           most critical systems and interfaces. DoD Components realized that the inputs,\n           outputs, and interfaces between systems must all work together to successfully\n           perform a mission. DoD used integration testing, continuity of operations\n\n1\n    Public Law 104-106, Clinger Cohen Act of 1996, Division E, \xe2\x80\x9cInformation Technology Management\n    Reform,\xe2\x80\x9d formally the Information Technology Management Reform Act.\n\n\n\n                                                  13\n\x0c    plans, and thin-line architectures to prioritize and manage Y2K compliance\n    efforts within core business and mission areas. The integration testing\n    concentrated on end-to-end testing of business functions and warfighter missions\n    necessary to carry out the national military strategy. DoD used the continuity of\n    operations plans as high level plans designed to ensure that the capability to\n    perform a core mission or function would continue despite disruptions to\n    supporting systems. Thin-line architectures provided insights into warfighting\n    tasks and the reliance on information technology systems. Through these Y2K\n    conversion efforts, DoD senior managers became more aware of the enterprise-\n    wide architectures, missions, business areas, and information technology within\n    DoD.\n\nInformation Assurance\n    The DoD CIO did not take full advantage of Y2K experiences because the DoD\n    CIO missed opportunities to apply lessons learned to information assurance.\n    Several missed opportunities included ensuring the implementation of Joint\n    Staff-developed lessons learned for information assurance, developing overall\n    management guidance for information assurance, reusing the Y2K inventory\n    database to track a system\xe2\x80\x99s security status and certification and accreditation\n    date, and renewing licenses for code-scanning tools.\n\n    Congressional Report 106-244. In Report 106-244 from the FY 2000 DoD\n    Appropriations Bill, the Committee on Appropriations stated that the steps taken\n    for dealing with the Y2K conversion process were directly related to addressing\n    information assurance. Additionally, the Committee requested a report on\n    lessons learned from Y2K with particular emphasis on what lessons could be\n    applied to information assurance. The ASD(C3I) report to the congressional\n    Defense committees on Y2K lessons learned, required by Report 106-244,\n    provided the following three statements of lessons learned that the Joint Staff, in\n    coordination with the Unified Commands and other DoD Components, could\n    apply to information assurance.\n\n       \xe2\x80\xa2   Consider databases, thin-lines, and leftover documentation for reuse in\n           information assurance.\n\n       \xe2\x80\xa2   Code-scanning tools had many positive management benefits for future\n           information assurance and information technology initiatives, and DoD\n           would renew licenses for the tools.\n\n       \xe2\x80\xa2   Incorporate information assurance, critical infrastructure protection,\n           interoperability, and configuration management into routine exercises\n           and training.\n\n    The Joint Staff representatives did not provide examples that showed lessons\n    learned had been applied.\n\n\n\n\n                                        14\n\x0cThe ASD(C3I) report did not state how the DoD CIO would apply Y2K lessons\nlearned to managing information assurance. However, the DoD CIO concluded\nin the report that \xe2\x80\x9cthe DoD Y2K effort has laid a firm foundation for longer\nterm improvements in managing and protecting information technology\nsystems\xe2\x80\xa6.\xe2\x80\x9d\n\nDeveloping Guidance. The ASD(C3I) as the DoD CIO issued the DoD Year\n2000 Management Plan to provide DoD with centralized policy and oversight in\npreparing for Y2K. The plan included specific procedures for Y2K reporting\nand certification requirements of DoD Components. The plan also included a\ndescription of the five-phase Y2K management process that DoD Components\nwere to use. As discussed in finding A, some PSAs and DoD Components did\nadapt their Y2K system inventory for managing security certification and\naccreditation. If the DoD CIO had taken steps to develop guidance on\ninformation assurance similar to the procedures in the DoD Y2K Management\nPlan, clear direction could have been provided for the PSAs and DoD\nComponents and a DoD-wide perspective for tracking security status.\n\nTracking Security Status. During Y2K, the DoD Y2K office maintained the\nDoD Y2K database for mission-critical information technology systems to\nprovide the DoD CIO and CIOs of DoD Components with the visibility\nnecessary to ensure a thorough and successful Y2K transition. Each agency\nreported on the status of its mission-critical systems, including information on\nthe number of systems that were Y2K compliant, being replaced, repaired, and\nretired. The ASD(C3I) as DoD CIO used the information to perform oversight\nand compiled the information for submission to the Office of Management and\nBudget.\n\nThe FY 2001 Defense Authorization Act (Public Law 106-398), Title X,\nSubtitle G, \xe2\x80\x9cGovernment Information Security Reform,\xe2\x80\x9d was promulgated to\nimprove oversight of Federal agency information security programs. Each year,\nthe applicable agency head must submit to the Director, Office of Management\nand Budget, an assessment of the security program and the systems\xe2\x80\x99 security.\nThe Act also requires the Director, Office of Management and Budget, to\nsubmit a report to Congress summarizing the information received from each\nagency.\n\nThe DoD CIO should have adapted the Y2K reporting mechanism to oversee\ncompliance with the Government Information Security Reform requirements.\nThe DoD CIO is in the process of responding to the Government Information\nSecurity Reform requirements but missed the opportunity to provide a better\nfoundation for managing information security by not readily adapting\nmanagement experiences and knowledge gained during Y2K conversion.\n\nTracking Certification and Accreditation. In preparing for Y2K, the DoD\nCIO tracked the status of the Y2K certification for each system. The DoD Y2K\nManagement Plan required Components to provide the date and level of Y2K\ncertification for mission-critical systems for input into the DoD Y2K database.\n\n\n\n\n                                   15\n\x0c    DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Security Certification and\n    Accreditation Process,\xe2\x80\x9d December 30, 1997, implements policy, assigns\n    responsibilities, and prescribes procedures for certification and accreditation of\n    information technology, including automated information systems, networks,\n    and sites in DoD. DoD Instruction 5200.40 assigns oversight responsibility to\n    the ASD(C3I) to ensure that each designated approving authority implements and\n    maintains the DoD Information Technology Security Certification and\n    Accreditation Process for DoD Component and DoD contractor information\n    technology and networks under its jurisdiction.\n\n    The DoD CIO could have taken advantage of an opportunity to use the Y2K\n    database as a starting point for overseeing the Certification and Accreditation\n    process required by DoD Instruction 5200.40.\n\n    Reusing Y2K Analysis and Renovation Tools. DoD used analysis and\n    renovation tools during Y2K as part of the independent verification and\n    validation process to detect missed date fields and invalid date-processing logic\n    and to validate corrected code. The DoD-provided tools, McCabe Visual 2000\n    and Mercury Interactive WinRunner 2000, allowed users to analyze programs\n    for errors and to test them after repairs or upgrades were made.\n\n    In an August 11, 1999, memorandum, \xe2\x80\x9cUse of Department of Defense Provided\n    Tools for Software Testing,\xe2\x80\x9d the Office of the Assistant Secretary of Defense\n    (C3I) stated that the McCabe tool could also be used for information assurance.\n    Additionally, DoD Y2K lessons learned reports mentioned the importance of\n    reusing the code-scanning tools. For example, the Air Force report\n    recommended that independent verification and validation procedures become an\n    integral part of configuration management.\n\n    The DoD Information Security Certification and Accreditation Process consists\n    of the definition, verification, validation, and the post-accreditation phases. The\n    goal of the verification phase is to produce a fully integrated system ready for\n    certification testing by verifying system compliance with security requirements.\n    The formal certification test and the decision to accredit the system is performed\n    in the validation phase. DoD did not take advantage of reusing code-scanning\n    tools for validation and verification under the DoD Information Security\n    Certification and Accreditation process. Routinely using the DoD-provided\n    tools would significantly enhance DoD software maintenance and quality\n    surveillance efforts in the future. The DoD CIO representatives stated that\n    although the tools were necessary, the Services did not want to fund them and\n    the DoD CIO did not require their use.\n\nInformation Technology Investments\n    The DoD CIO did not take full advantage of Y2K experiences because the DoD\n    CIO missed opportunities to apply lessons learned to information technology\n    investments, particularly with respect to portfolio management. The ASD(C3I)\n    report to the congressional Defense committees stated that the CIO lessons apply\n\n\n\n\n                                        16\n\x0cto DoD efforts to achieve compliance with the Clinger-Cohen Act; however, the\nreport did not specify how the DoD CIO planned to use lessons learned to\nmanage information technology investments.\n\nBusiness or Mission Area Focus. The Y2K conversion process not only drove\nthe identification of individual mission-critical systems and interdependencies,\nbut also resulted in the identification of core business and mission areas. As a\nconsequence, DoD focused Y2K end-to-end testing requirements on the most\ncrucial of operations and business functions and their underlying infrastructure\nof interconnected systems. The DoD CIO could have used the already\nidentified core processes, missions, and systems in its efforts to manage\ninformation technology investments.\n\n           Information Technology Investment Management. The Clinger-\nCohen Act requires an analysis of the missions and business areas before\nmaking significant investments in information technology. That analysis would\nrequire an understanding of their underlying portfolios of information\ntechnology investments in systems and networks. Additionally, DoD Directive\n5000.1, \xe2\x80\x9cThe Defense Acquisition System,\xe2\x80\x9d October 23, 2000, states that the\nacquisition community should adopt \xe2\x80\x9ca family-of-systems management approach\nto ensure that their reviews of individual systems include a thorough\nunderstanding of critical system interfaces related to the system under review.\xe2\x80\x9d\nDoD Components performed analysis of core business and mission areas and\ntheir critical systems and interfaces as part of their Y2K conversion efforts.\nAlso, ASD(C3I) was developing portfolio management to change the way of\ninvesting in information technology systems from focusing on reviews of\nindividual systems to \xe2\x80\x9cportfolios\xe2\x80\x9d of information technology investments.\nPortfolios were to be established by grouping information technology\ninvestments by mission-related or administrative processes. The ASD(C3I)\nrepresentatives envisioned that portfolio management would be an ongoing,\ncollaborative process, performed by stakeholder teams representing all life-cycle\nactivities, and driven by mission outcomes and contribution to the mission.\nY2K lessons learned on core business and mission areas and their underlying\nportfolios of critical systems and interfaces could have been used to formulate\nan approach to managing information technology investments in a more\ndisciplined manner. However, as of August 2001, the guidance initiated by\nASD(C3I) on portfolio management remained in draft and portfolio management\nhad not yet been implemented by ASD(C3I).\n\n         Information Technology Retirement and Modernization. We asked\nthe DoD Components and PSAs if Y2K aided in accelerating the retirement of\nlegacy systems and in modernizing information technology systems. Several\nDoD Components and PSAs tracked the accelerated retirement of legacy\nsystems and accelerated modernization of systems. The Army, Air Force,\nDISA, Army National Guard, and the PSA for Personnel all provided examples\nof systems retired early because of Y2K. DISA, the Army National Guard, and\nthe PSA for Communications provided examples of systems that were\nmodernized early because of Y2K. According to DoD CIO representatives,\nmany systems were replaced or terminated rather than repaired as a conscious\ninformation management strategy. Replacement strategy systems were those\nthat were taken out of the inventory and replaced by one or more existing or\n\n\n                                   17\n\x0c    new systems prior to January 1, 2000. Termination strategy systems were those\n    that were turned off prior to January 1, 2000. There were 95 mission-critical\n    and 412 nonmission-critical replacement strategy systems and 127 mission-\n    critical and 1,177 nonmission-critical termination strategy systems.\n\n    A portfolio approach could continue to help identify modernization needs and\n    retirement or replacement of legacy systems. The Clinger-Cohen Act states that\n    information technology should be evaluated to determine whether to continue,\n    modify, or terminate a program or project. Systems should be retired if their\n    elimination would not disrupt accomplishing a mission, or systems should be\n    replaced if more efficient products exist, such as commercial off-the-shelf\n    products.\n\n    Other Uses of Y2K Inventory Database. DoD CIO representatives stated that\n    the Y2K inventory database, now called the DoD Information Technology\n    Registry, was used for the section 811 registration. The DoD CIO\n    representatives mentioned that they could be doing more with the database, in\n    addition to tracking section 811 registration, but had not identified the necessary\n    additional information. For example, the DoD CIO representatives mentioned\n    that the database could track CFO compliance or date-windowing compliance.\n    Date-windowing was used as a temporary solution for Y2K problems by\n    converting 2-digit dates into 4-digit dates when needed. However, date-\n    windowing does not change the 2-digit dates throughout the system\xe2\x80\x99s data and\n    will only interpret the date correctly for the appropriate century when used\n    within a certain window of time. When the window expires, the system will\n    interpret dates incorrectly; therefore, the system must be repaired, replaced with\n    new technology, or retired because it is no longer useful. Draft guidance,\n    \xe2\x80\x9cRepairing Latent Year 2000 Defects Caused by Date Windowing,\xe2\x80\x9d was\n    prepared by the Office of the ASD(C3I). However, as of August 2001 the\n    guidance had not been issued. DoD may lose oversight of the date-windowed\n    systems if guidance is not issued.\n\nImplementing Year 2000 Lessons Learned\n    In preparing for Y2K, DoD developed complete inventories of information\n    technology. Thin-lines were established, which could have assisted in focusing\n    information assurance requirements on the most critical systems. Contingency\n    plans were prepared or updated to assist in ensuring that processes continued\n    during system failures. End-to-end test plans were available for adaptation to\n    test for identifying information assurance vulnerabilities on systems that were\n    interconnected. This was particularly important because of the interconnection\n    of systems between Services and agencies. Also, core mission and business\n    areas were identified that could have been used in managing information\n    technology investments. The magnitude of the Y2K conversion effort will\n    probably not occur again. Therefore, the DoD CIO must not ignore the benefits\n    of the knowledge and experience gained when managing future information\n    assurance and information technology investments.\n\n\n\n\n                                        18\n\x0cRecommendations, Management Comments, and Audit\n  Response\n    We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence), as the Chief Information\n    Officer, DoD:\n\n           1. Establish a written DoD management plan for information\n    assurance compliance that will oversee the Certification and Accreditation\n    process required by DoD Instruction 5200.40, \xe2\x80\x9cDoD Information\n    Technology Security Certification and Accreditation Process,\xe2\x80\x9d\n    December 30, 1997 and that will respond to the requirements of\n    Government Information Security Reform.\n\n    Management Comments. The Acting Assistant Secretary of Defense\n    (Command, Control, Communications, and Intelligence) concurred and stated\n    that the Government Information Security Reform Integrated Process Team was\n    directed to develop a plan for Government Information Security Reform\n    implementation. The second phase of the plan leveraged the assessment\n    mechanism from the Defense Information Technology Security Certification and\n    Accreditation Process.\n\n    Audit Response. We consider management comments to be partially\n    responsive. The implementation plan developed by the Government Information\n    Security Reform Integrated Process Team primarily focuses on the Government\n    Information Security Reform requirements for FY 2001. The Assistant\n    Secretary of Defense (Command, Control, Communications, and Intelligence)\n    should also have a DoD management plan that oversees the certification and\n    accreditation process for information systems and networks, using the DoD\n    information technology registry as a starting point. Accordingly, we request\n    additional comments on a DoD management plan that specifically discusses\n    oversight and guidance on information systems and networks that require\n    certification and accreditation.\n\n           2. Assess the cost-effectiveness of purchasing new licenses for\n    analysis and renovation tools to use in detecting defects or abnormalities in\n    software.\n\n          3. Implement a mission or business area approach for managing\n    information technology investments in accordance with the Clinger-Cohen\n    Act and DoD Directive 5000.1, \xe2\x80\x9cThe Defense Acquisition System,\xe2\x80\x9d\n    October 23, 2000.\n\n           4. Implement an oversight process for complete repair, retirement,\n    or replacement of systems that used date-windowing techniques during the\n    year 2000 conversion process.\n\n    Management Comments. The Acting Assistant Secretary of Defense\n    (Command, Control, Communications, and Intelligence) concurred with\n\n\n                                      19\n\x0cRecommendations 2., 3., and 4. Management will continue to assess the\ncommercial market for analysis and renovation tools to use in detecting defects\nor abnormalities in software. Along these lines, management will consider\nfunding a series of studies and publishing guidelines based upon them to assist in\ndetermining the best mix of analysis and renovation tools.\n\nThe Deputy Chief Information Officer will undertake a thorough review and\nreengineering of information technology investment and acquisition oversight.\nThe new information technology management and oversight concept includes\nportfolios and families of systems reviews, which are a mission or business area\napproach to managing information technology. Other components include\nmission area management, to direct the mission from an enterprise perspective;\ninvestment portfolios and families of systems to maximize total information\ntechnology capabilities for mission outcomes; Global Information Grid\narchitecture and implementation to guide the evolution of portfolios and families\nof systems; families of systems reviews to oversee total information technology\nand ensure interoperability and architecture; rapid acquisition oversight to speed\ndelivery of effective information technology capabilities to users; and leadership\nand partnership to establish central guidance with distributed execution.\nFurther, the oversight process for the repair, retirement, or replacement of\nsystems that used date-windowing techniques during the year 2000 conversion\nprocess will be included in the family of systems reviews.\n\n\n\n\n                                    20\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. We reviewed and evaluated the application of lessons\n    learned from Y2K within the Office of the DoD CIO, the Services, Joint Staff,\n    DISA, the National Guard, and the PSAs for Health Affairs, Communications,\n    Logistics, Personnel, and Weapon Systems. We focused our review on three\n    main areas: data reuse, management structure and processes, and the\n    continuation of partnerships from the year 2000. We interviewed personnel\n    from each office who were involved with the Y2K conversion and familiar with\n    any application of lessons learned from Y2K, if any. We compared the\n    application of lessons learned among and within each of the Components.\n\n    DoD-Wide Corporate Level Government Performance and Results Act\n    Coverage. In response to the Government Performance and Results Act, the\n    Secretary of Defense annually establishes DoD-wide corporate level goals,\n    subordinate performance goals, and performance measures. This report pertains\n    to achievement of the following goal and subordinate performance goal.\n\n             FY 2001 DoD Corporate Level Goal 2: Prepare now for an uncertain\n             future by pursuing a focused modernization effort that maintains U.S.\n             qualitative superiority in key warfighting capabilities. Transform the\n             force by exploiting the Revolution in Military Affairs, and reengineer\n             the Department to achieve a 21st century infrastructure. (01-DoD-2)\n\n             FY 2001 Subordinate Performance Goal 2.5: Improve DoD\n             financial and information management. (01-DoD-2.5)\n\n    DoD Functional Area Reform Goals. Most major DoD functional areas have\n    also established performance improvement reform objectives and goals. This\n    report pertains to achievement of the following functional area objective and\n    goal.\n\n    Information Technology Management Functional Area.\n\n             Objective: Reform information technology management processes to\n             increase efficiency and mission contribution. Goal: Institute\n             fundamental information technology management reform efforts.\n             (ITM-3.2)\n\nMethodology\n    Audit Type, Dates, and Standards. We performed this economy and\n    efficiency audit from December 2000 through May 2001, in accordance with\n    auditing standards issued by the Comptroller General of the United States, as\n    implemented by the Inspector General, DoD. We did our work in accordance\n    with generally accepted Government auditing standards except that we were\n\n\n                                      21\n\x0c    unable to obtain an opinion on our system of quality control. The most recent\n    external quality control review was withdrawn on March 15, 2001, and we will\n    undergo a new review. We did not use computer-processed data for this audit.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available upon request.\n\n    Management Control Program Review. We did not review the management\n    control program because we identified no relationship between it and the overall\n    audit objective.\n\nPrior Audit Coverage\n    General Accounting Office\n    GAO Report No. AIMD-00-290, \xe2\x80\x9cYear 2000 Computing Challenge: Lessons\n    Learned Can Be Applied to Other Management Challenges,\xe2\x80\x9d September 2000\n\n    Inspector General, DoD\n    Inspector General, DoD, Report No. D-2000-041 \xe2\x80\x9cDeficiencies in FY 1998\n    DoD Financial Statements and Progress Toward Improved Financial\n    Reporting,\xe2\x80\x9d November 26, 1999\n\n    Army Audit Agency\n    Report No. AA-00-214, \xe2\x80\x9cSummary of Year 2000 Audit Coverage \xe2\x80\x93 Lessons\n    Learned,\xe2\x80\x9d March 31, 2000\n\n    Memorandum Report No. AA 00-90, \xe2\x80\x9cLessons Learned \xe2\x80\x93 Year 2000\n    Audit/Consultation Effort,\xe2\x80\x9d November 24, 1999\n\n    Naval Audit Service\n    Assessment Report No. N2000-0024, \xe2\x80\x9cY2K Lessons Learned,\xe2\x80\x9d May 1, 2000\n\n    Memorandum: \xe2\x80\x9cLessons Learned From Y2K Conversion,\xe2\x80\x9d September 30, 1999\n    Air Force Audit Agency\n    Memorandum: \xe2\x80\x9cLessons Learned From Y2K Conversion,\xe2\x80\x9d September 30, 1999\n\n\n\n\n                                       22\n\x0cAppendix B. Matrix of Applied Year 2000\n            Lessons Learned\n\n                              Data Reuse\n                                                           Adaptation\n Agency/                                                                    Senior\n                 811        Other   Thin     CP/             of Y2K                     Continuing    Lasting\nComponent                                           MOAs                 Management\n              Inventory   Inventory Lines   COOPs          Management                  Partnerships   Impact\n  PSA                                                                    Involvement\n                                                           Experiences\nASD (C3I)       Yes         N/E     N/E      N/E    N/E       Yes           Yes            Yes         Sig\n  Army          Yes         Yes     Yes      Yes    N/E       N/E           Yes           N/E          Sig\n  Navy          Yes         Yes     N/E      N/E    N/E       Yes           Yes            Yes         Sig\nAir Force       Yes         Yes     N/E      N/E    N/E       Yes           Yes            Yes         Sig\n Marine\n                N/E         N/E     N/E      N/E    N/E       N/E           Yes           N/E          Sig\n Corps\n  DISA          Yes         Yes     N/E      Yes    N/E       Yes           Yes            Yes         Mod\n  Army\n National       Yes         Yes     N/E      Yes    N/E       N/E           Yes            Yes         Sig\n  Guard\n   Air\n National       N/E         Yes     N/E      N/E    N/E       N/E           Yes           N/E          Min\n  Guard\nJoint Staff     N/E         N/E     Yes      N/E    N/E       N/E           Yes           N/E          Sig\n  Health\n                Yes         N/E     N/E      Yes    Yes       Yes           Yes            Yes         Sig\n Affairs\nPersonnel       N/E         Yes     Yes      Yes    N/E       Yes           N/E            Yes         Sig\n  Com           N/E         N/E     N/E      N/E    N/E       Yes           Yes            Yes         Sig\nLogistics       Yes         N/E     Yes      N/E    N/E       Yes           N/E            Yes         Sig\nWeapons\n                N/E         N/E     N/E      N/E    N/E       N/E           N/E           N/E          N/E\nSystems\n\n\n\n         Com                PSA for Communications\n         CP/COOPs           Contingency Plans/Continuity of Operations Plans\n         Min                Minimal Impact\n         MOAs               Memorandums of Agreement\n         Mod                Moderate Impact\n         N/E                No Evidence provided of lesson learned application\n         Sig                Significant Impact\n         Yes                Partial or Overall application of lesson learned\n\n\n\n\n                                                     23\n\x0cAppendix C. Categories of Lessons Learned and\n            Lasting Impact of Year 2000\n\nCategories of Lessons Learned\n    Data Reuse. During the audit, we asked the DoD Components and PSAs to\n    provide examples of data collected during the Y2K conversion that proved\n    useful for other purposes and to explain how those data were maintained.\n    Examples of data reuse included system inventories, thin-lines, system\n    contingency plans and organizational continuity of operations plans, and\n    memorandums of agreement. The majority of DoD Components and PSAs\n    stated that they had applied Y2K data to other information technology purposes.\n    For example, the Army, the Joint Staff, and the PSAs for Personnel and\n    Logistics provided examples of reusing Y2K thin-lines. On the other hand, the\n    Marine Corps and the PSA for Communications did not provide examples of\n    data reuse.\n\n    Adaptation of Y2K Management Experiences. During the audit, we asked\n    the DoD Components and PSAs to provide examples of Y2K management\n    experiences that had been adapted to other information technology issues. We\n    also asked them to provide examples of end-to-end tests or evaluations\n    performed since the Y2K rollover. Most of the Components and PSAs were\n    able to provide examples of applied Y2K management processes. For example,\n    a DoD CIO representative and the PSAs for Health Affairs, Personnel,\n    Communications, and Logistics provided examples of reusing the Y2K testing\n    structure for other purposes. However, the Army, Marine Corps, National\n    Guard, and Joint Staff did not provide examples for applied Y2K management\n    processes.\n\n    Senior Management Involvement. During the course of the audit, we asked\n    the DoD Components and PSAs to discuss the extent to which senior managers\n    and commanders from their respective organizations had remained closely\n    involved in information technology issues since Y2K. The majority of DoD\n    Components and PSAs stated that senior management had remained involved in\n    information technology issues since Y2K. For example, senior management for\n    ASD(C3I), Air Force, Army, DISA, Joint Staff, and the National Guard attends\n    forums on information technology issues. The PSA for Health Affairs\n    mentioned the high level of involvement in the change order process and the\n    Health Insurance Portability and Accountability. The Navy, Marine Corps, and\n    the PSA for Communications stated that senior management is still involved in\n    information technology issues. On the other hand, the PSAs for Personnel and\n    Logistics stated that senior management involvement is decreasing.\n\n    Partnerships. We asked the DoD Components and PSAs if they had continued\n    any of the partnerships with other DoD organizations, Federal agencies, States,\n    and the private sector formed during Y2K. Most DoD Components and PSAs\n    continued partnerships started or strengthened during the Y2K conversion\n    process. DoD CIO representatives, the Navy, and the PSAs for Personnel,\n    Communications, and Logistics, continued to attend forums on information\n\n\n                                       24\n\x0c    technology issues. DISA Western Hemisphere continued its strengthened\n    relationship with customers. The Air Force continued its partnership with\n    DISA. The PSA for Health Affairs continued partnerships with stakeholders\n    strengthened during Y2K. The National Guard stated that communication\n    improved between the functional and technical personnel. The Army, Marine\n    Corps, and Joint Staff did not provide examples.\n\nLasting Impact of the Year 2000\n    During the audit, we asked the representatives from the DoD Components and\n    PSAs how they would characterize the lasting impact of the Y2K conversion on\n    the way that their DoD Component or PSA manages information technology\n    issues. The majority of DoD Components and PSAs characterized the lasting\n    impact of the Y2K conversion process on the way senior management manages\n    information technology issues as significant. For example, the Army,\n    Air Force, and Navy characterized the impact as significant because Y2K\n    increased the awareness of the significance of information technology, especially\n    with senior management. Also, Y2K improved the software development\n    process for the Air Force and increased Navy awareness of the weaknesses in\n    some legacy systems. For the Marine Corps, Y2K improved new system\n    development to prevent stovepipe development. Additionally, the Joint Staff\n    and the PSA for Communications characterized the impact as significant because\n    Y2K improved the modernization of information technology. For DoD CIO\n    representatives, the impact was significant; however, the representatives\n    realized that they missed some opportunities. DISA characterized the impact as\n    moderate since Y2K did not affect the way it manages information technology;\n    however, Y2K did increase awareness of the dependency on information\n    technology. The Air National Guard characterized the impact as minor because\n    it is responsible for only three systems.\n\n\n\n\n                                       25\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense, Deputy Chief Information Officer\nAssistant Secretary of Defense (Health Affairs)\nDirector, Operational Test and Evaluation\n\nJoint Staff\nDirector, Joint Staff\n\nDepartment of the Army\nChief Information Officer, Department of the Army\nInspector General, Department of the Army\nAuditor General, Department of the Army\nChief, National Guard Bureau\n\nDepartment of the Navy\nChief Information Officer, Department of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\nInspector General, Marine Corps\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nChief Information Officer, Department of the Air Force\nInspector General, Department of the Air Force\nAuditor General, Department of the Air Force\nChief, National Guard Bureau\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\nInspector General, Defense Information Systems Agency\n\n\n\n                                         26\n\x0cNon-Defense Federal Organizations\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         27\n\x0cActing Assistant Secretary of Defense\n(Command, Control, Communications, and\nIntelligence) Comments\n\n\n\n\n                 28\n\x0c29\n\x0c30\n\x0c31\n\x0cAudit Team Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\nMary L. Ugone\nWanda A. Hopkins\nVirginia G. Rogers\nMaria R. Palladino\nMelanie Livingston\nW. Ryan Pusey\n\x0c'